Restrict Oracle DB Login based on SQL Client being usedRestrict Oracle database schema from login using...

How to politely refuse in-office gym instructor for steroids and protein

Why are mages sometimes played bot instead of traditional ADCs?

Why is Shelob considered evil?

RS485 using USART or UART port on STM32

Coworker asking me to not bring cakes due to self control issue. What should I do?

If I tried and failed to start my own business, how do I apply for a job without job experience?

Is there a way to pause a running process on Linux systems and resume later?

Is there a non trivial covering of the Klein bottle by the Klein bottle

Is the fingering of thirds flexible or do I have to follow the rules?

Remove isolated elements of a vector

Is it really OK to use "because of"?

Insecure private-key encryption

XOR-free sets: Maximum density?

How to fly a direct entry holding pattern when approaching from an awkward angle?

What is a good reason for every spaceship to carry gun on board?

How bad is a Computer Science course that doesn't teach Design Patterns?

Other than edits for international editions, did Harry Potter and the Philosopher's Stone receive errata?

Prevent Nautilus / Nemo from creating .Trash-1000 folder in mounted devices

Is .NET Framework 3.5 still needed with a SQL Server 2017 installation to utilize Database Mail?

Why did Luke use his left hand to shoot?

Why did Ylvis use "go" instead of "say" in phrases like "Dog goes 'woof'"?

How to deal with an underperforming subordinate?

When using Volatility with a memory image, what is the Kernel version?

Democratic Socialism vs Social Democracy



Restrict Oracle DB Login based on SQL Client being used


Restrict Oracle database schema from login using Toad/PLSQLdifferent login credentials based on userExport Oracle Database User data from clientUse LDAP for name look up with Oracle Instant ClientSQL Server trace based on client TCP portHow to restrict table access to a applicationIs it ever good practice to use a distinct database account for each user of an application?SQL Server 2016 Security - Restrict users from viewing a single databaseHow to run Oracle Client 10g from non Administrator account?Granting Read access to Replica database (via data guard) but need to restrict the same login in production DatabaseOracle Database Client 12c Product Components













1















We have an application in our organization that is based on Oracle Forms 11g (on Oracle Fusion Middleware/WLS). Users have access to the application through accounts created at the database (i.e. they exist in dba_users). Each user is assigned a specific role based on their area of work and they use the user id to log on to the application. The user may have read/write access to certain functionality in the application and for this their roles have the following permissions-



EXECUTE ANY LIBRARY   

SELECT  ANY SEQUENCE   

EXECUTE ANY TYPE      

EXECUTE ANY PROCEDURE 

UPDATE  ANY TABLE      

SELECT  ANY TABLE      

DELETE  ANY TABLE      

EXECUTE ANY INDEXTYPE 

INSERT  ANY TABLE


Now we have some users requesting for SQL Client access (i.e. TNS settings) so that they can connect to the DB and perform queries for their research. These business users are ofcourse knowledgeable in SQL but we want to restrict their access based on the type of client they use to log on to the database. Any client other than the application itself, should restrict them to "read only".



Is there a way to achieve this?






oracle security







share|improve this question























  • Not possible. The name of the client is provided by the client itself - so the client can pretend to be sqlplus or sqldeveloper or annjawan. You have to restrict this through the user account, it's the only safe way.

    – a_horse_with_no_name
    Feb 27 '15 at 0:03











  • But we know the Application client's name. Can we restrict it like if not <app_client> then... perhaps through a BEFORE LOGON trigger? We also know the Machine Name which will always be the Application server name if the user is using the Application, that can be used as well?

    – Annjawn
    Feb 27 '15 at 0:09













  • I can connect with a different client pretending to be <app_client> without any problems. You can also change the value that shows up in machine in v$session (those are simply connection properties for a JDBC connection for example). You might be able to check the IP address in a logon trigger, but I'm not sure about that. The only (really: the only) safe way to restrict access is through privileges on the user account.

    – a_horse_with_no_name
    Feb 27 '15 at 0:19











  • Yes, I figured that is the only safe way but revoking access privilege will mean revoke privileges from the application too, which we don't want to do. I don't think the users are that smart to be changing their connection properties ;) but the question is will a BEFORE LOGON trigger with revoke command work?

    – Annjawn
    Feb 27 '15 at 0:28













  • The only way to do this is to create separate read-only users. A given user cannot have two seperate sets of grants.

    – Philᵀᴹ
    Feb 27 '15 at 7:59
















1















We have an application in our organization that is based on Oracle Forms 11g (on Oracle Fusion Middleware/WLS). Users have access to the application through accounts created at the database (i.e. they exist in dba_users). Each user is assigned a specific role based on their area of work and they use the user id to log on to the application. The user may have read/write access to certain functionality in the application and for this their roles have the following permissions-



EXECUTE ANY LIBRARY   

SELECT  ANY SEQUENCE   

EXECUTE ANY TYPE      

EXECUTE ANY PROCEDURE 

UPDATE  ANY TABLE      

SELECT  ANY TABLE      

DELETE  ANY TABLE      

EXECUTE ANY INDEXTYPE 

INSERT  ANY TABLE


Now we have some users requesting for SQL Client access (i.e. TNS settings) so that they can connect to the DB and perform queries for their research. These business users are ofcourse knowledgeable in SQL but we want to restrict their access based on the type of client they use to log on to the database. Any client other than the application itself, should restrict them to "read only".



Is there a way to achieve this?






oracle security







share|improve this question























  • Not possible. The name of the client is provided by the client itself - so the client can pretend to be sqlplus or sqldeveloper or annjawan. You have to restrict this through the user account, it's the only safe way.

    – a_horse_with_no_name
    Feb 27 '15 at 0:03











  • But we know the Application client's name. Can we restrict it like if not <app_client> then... perhaps through a BEFORE LOGON trigger? We also know the Machine Name which will always be the Application server name if the user is using the Application, that can be used as well?

    – Annjawn
    Feb 27 '15 at 0:09













  • I can connect with a different client pretending to be <app_client> without any problems. You can also change the value that shows up in machine in v$session (those are simply connection properties for a JDBC connection for example). You might be able to check the IP address in a logon trigger, but I'm not sure about that. The only (really: the only) safe way to restrict access is through privileges on the user account.

    – a_horse_with_no_name
    Feb 27 '15 at 0:19











  • Yes, I figured that is the only safe way but revoking access privilege will mean revoke privileges from the application too, which we don't want to do. I don't think the users are that smart to be changing their connection properties ;) but the question is will a BEFORE LOGON trigger with revoke command work?

    – Annjawn
    Feb 27 '15 at 0:28













  • The only way to do this is to create separate read-only users. A given user cannot have two seperate sets of grants.

    – Philᵀᴹ
    Feb 27 '15 at 7:59














1












1








1








We have an application in our organization that is based on Oracle Forms 11g (on Oracle Fusion Middleware/WLS). Users have access to the application through accounts created at the database (i.e. they exist in dba_users). Each user is assigned a specific role based on their area of work and they use the user id to log on to the application. The user may have read/write access to certain functionality in the application and for this their roles have the following permissions-



EXECUTE ANY LIBRARY   

SELECT  ANY SEQUENCE   

EXECUTE ANY TYPE      

EXECUTE ANY PROCEDURE 

UPDATE  ANY TABLE      

SELECT  ANY TABLE      

DELETE  ANY TABLE      

EXECUTE ANY INDEXTYPE 

INSERT  ANY TABLE


Now we have some users requesting for SQL Client access (i.e. TNS settings) so that they can connect to the DB and perform queries for their research. These business users are ofcourse knowledgeable in SQL but we want to restrict their access based on the type of client they use to log on to the database. Any client other than the application itself, should restrict them to "read only".



Is there a way to achieve this?






oracle security







share|improve this question














We have an application in our organization that is based on Oracle Forms 11g (on Oracle Fusion Middleware/WLS). Users have access to the application through accounts created at the database (i.e. they exist in dba_users). Each user is assigned a specific role based on their area of work and they use the user id to log on to the application. The user may have read/write access to certain functionality in the application and for this their roles have the following permissions-



EXECUTE ANY LIBRARY   

SELECT  ANY SEQUENCE   

EXECUTE ANY TYPE      

EXECUTE ANY PROCEDURE 

UPDATE  ANY TABLE      

SELECT  ANY TABLE      

DELETE  ANY TABLE      

EXECUTE ANY INDEXTYPE 

INSERT  ANY TABLE


Now we have some users requesting for SQL Client access (i.e. TNS settings) so that they can connect to the DB and perform queries for their research. These business users are ofcourse knowledgeable in SQL but we want to restrict their access based on the type of client they use to log on to the database. Any client other than the application itself, should restrict them to "read only".



Is there a way to achieve this?






oracle security




oracle security






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Feb 26 '15 at 23:52









AnnjawnAnnjawn

12019




12019













  • Not possible. The name of the client is provided by the client itself - so the client can pretend to be sqlplus or sqldeveloper or annjawan. You have to restrict this through the user account, it's the only safe way.

    – a_horse_with_no_name
    Feb 27 '15 at 0:03











  • But we know the Application client's name. Can we restrict it like if not <app_client> then... perhaps through a BEFORE LOGON trigger? We also know the Machine Name which will always be the Application server name if the user is using the Application, that can be used as well?

    – Annjawn
    Feb 27 '15 at 0:09













  • I can connect with a different client pretending to be <app_client> without any problems. You can also change the value that shows up in machine in v$session (those are simply connection properties for a JDBC connection for example). You might be able to check the IP address in a logon trigger, but I'm not sure about that. The only (really: the only) safe way to restrict access is through privileges on the user account.

    – a_horse_with_no_name
    Feb 27 '15 at 0:19











  • Yes, I figured that is the only safe way but revoking access privilege will mean revoke privileges from the application too, which we don't want to do. I don't think the users are that smart to be changing their connection properties ;) but the question is will a BEFORE LOGON trigger with revoke command work?

    – Annjawn
    Feb 27 '15 at 0:28













  • The only way to do this is to create separate read-only users. A given user cannot have two seperate sets of grants.

    – Philᵀᴹ
    Feb 27 '15 at 7:59



















  • Not possible. The name of the client is provided by the client itself - so the client can pretend to be sqlplus or sqldeveloper or annjawan. You have to restrict this through the user account, it's the only safe way.

    – a_horse_with_no_name
    Feb 27 '15 at 0:03











  • But we know the Application client's name. Can we restrict it like if not <app_client> then... perhaps through a BEFORE LOGON trigger? We also know the Machine Name which will always be the Application server name if the user is using the Application, that can be used as well?

    – Annjawn
    Feb 27 '15 at 0:09













  • I can connect with a different client pretending to be <app_client> without any problems. You can also change the value that shows up in machine in v$session (those are simply connection properties for a JDBC connection for example). You might be able to check the IP address in a logon trigger, but I'm not sure about that. The only (really: the only) safe way to restrict access is through privileges on the user account.

    – a_horse_with_no_name
    Feb 27 '15 at 0:19











  • Yes, I figured that is the only safe way but revoking access privilege will mean revoke privileges from the application too, which we don't want to do. I don't think the users are that smart to be changing their connection properties ;) but the question is will a BEFORE LOGON trigger with revoke command work?

    – Annjawn
    Feb 27 '15 at 0:28













  • The only way to do this is to create separate read-only users. A given user cannot have two seperate sets of grants.

    – Philᵀᴹ
    Feb 27 '15 at 7:59

















Not possible. The name of the client is provided by the client itself - so the client can pretend to be sqlplus or sqldeveloper or annjawan. You have to restrict this through the user account, it's the only safe way.

– a_horse_with_no_name
Feb 27 '15 at 0:03





Not possible. The name of the client is provided by the client itself - so the client can pretend to be sqlplus or sqldeveloper or annjawan. You have to restrict this through the user account, it's the only safe way.

– a_horse_with_no_name
Feb 27 '15 at 0:03













But we know the Application client's name. Can we restrict it like if not <app_client> then... perhaps through a BEFORE LOGON trigger? We also know the Machine Name which will always be the Application server name if the user is using the Application, that can be used as well?

– Annjawn
Feb 27 '15 at 0:09







But we know the Application client's name. Can we restrict it like if not <app_client> then... perhaps through a BEFORE LOGON trigger? We also know the Machine Name which will always be the Application server name if the user is using the Application, that can be used as well?

– Annjawn
Feb 27 '15 at 0:09















I can connect with a different client pretending to be <app_client> without any problems. You can also change the value that shows up in machine in v$session (those are simply connection properties for a JDBC connection for example). You might be able to check the IP address in a logon trigger, but I'm not sure about that. The only (really: the only) safe way to restrict access is through privileges on the user account.

– a_horse_with_no_name
Feb 27 '15 at 0:19





I can connect with a different client pretending to be <app_client> without any problems. You can also change the value that shows up in machine in v$session (those are simply connection properties for a JDBC connection for example). You might be able to check the IP address in a logon trigger, but I'm not sure about that. The only (really: the only) safe way to restrict access is through privileges on the user account.

– a_horse_with_no_name
Feb 27 '15 at 0:19













Yes, I figured that is the only safe way but revoking access privilege will mean revoke privileges from the application too, which we don't want to do. I don't think the users are that smart to be changing their connection properties ;) but the question is will a BEFORE LOGON trigger with revoke command work?

– Annjawn
Feb 27 '15 at 0:28







Yes, I figured that is the only safe way but revoking access privilege will mean revoke privileges from the application too, which we don't want to do. I don't think the users are that smart to be changing their connection properties ;) but the question is will a BEFORE LOGON trigger with revoke command work?

– Annjawn
Feb 27 '15 at 0:28















The only way to do this is to create separate read-only users. A given user cannot have two seperate sets of grants.

– Philᵀᴹ
Feb 27 '15 at 7:59





The only way to do this is to create separate read-only users. A given user cannot have two seperate sets of grants.

– Philᵀᴹ
Feb 27 '15 at 7:59










1 Answer
1






active

oldest

votes


















2














You can check it with a database trigger, for example:



CREATE ROLE ROLE_POWER_USER NOT IDENTIFIED;



CREATE OR REPLACE TRIGGER LOG_T_LOGON 

    AFTER LOGON ON DATABASE

DECLARE



    osUser VARCHAR2(30);

    machine VARCHAR2(100); 

    prog VARCHAR2(100)

    ip VARCHAR2(15);



BEGIN



    IF ora_login_user IS NULL THEN 

        RETURN;

    END IF;



    SELECT OSUSER, MACHINE, PROGRAM, ora_client_ip_address

    INTO osUser, machine, prog, ip

    FROM V$SESSION 

    WHERE SID = SYS_CONTEXT('USERENV', 'SID');



    IF NOT DBMS_SESSION.IS_ROLE_ENABLED('ROLE_POWER_USER') THEN     

        IF LOWER(prog) <> 'your_application_name.exe' THEN

            RAISE_APPLICATION_ERROR(-20000, 'Logon denied: You must use only the official client application');

        END IF;

    ELSE

        IF LOWER(prog) NOT IN ('sqlplus.exe', 'toad.exe') THEN

            RAISE_APPLICATION_ERROR(-20000, 'Logon denied: You must use only SQL*Plus or TOAD for you private queries');

        END IF; 

    END IF;

    -- Successful login, continue as normal

END;

/


You can also check other conditions like IP-Address or the machine name.



SELECT privileges on tables and views you have to grant to the user or ROLE in the "classic" way. This trigger only prevents to logon to the database with certain tools.



Note, a user with System Privilege ADMINISTER DATABASE TRIGGER (for example DBA role, or SYS of course) never get the exception, i.e. they can logon to the database in any case and you cannot block this by the trigger.



Another note: This trigger is not 100% secure. For example you can simply make a copy of your local sqlplus.exe and name it your_application_name.exe. Then this trigger would allow to use it.






share|improve this answer


























  • I don't need to make a copy of sqlplus.exe to connect using your_application_name.exe. In a JDBC client this is a simple configuration property (so is machine name or OS user)

    – a_horse_with_no_name
    Feb 27 '15 at 13:21











  • @wernfried This trigger worked pretty nicely. We did some changes to it to include checking the user PROFILE and instead of checking the program we check the MACHINE from where the conncection is coming from. Our Application always connects from the App Server Machine id even when User logs on to the app from their PC and that server machine id will not change (ever). So that solves the program name problem.

    – Annjawn
    Mar 9 '15 at 19:52











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "182"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f93949%2frestrict-oracle-db-login-based-on-sql-client-being-used%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









2














You can check it with a database trigger, for example:



CREATE ROLE ROLE_POWER_USER NOT IDENTIFIED;



CREATE OR REPLACE TRIGGER LOG_T_LOGON 

    AFTER LOGON ON DATABASE

DECLARE



    osUser VARCHAR2(30);

    machine VARCHAR2(100); 

    prog VARCHAR2(100)

    ip VARCHAR2(15);



BEGIN



    IF ora_login_user IS NULL THEN 

        RETURN;

    END IF;



    SELECT OSUSER, MACHINE, PROGRAM, ora_client_ip_address

    INTO osUser, machine, prog, ip

    FROM V$SESSION 

    WHERE SID = SYS_CONTEXT('USERENV', 'SID');



    IF NOT DBMS_SESSION.IS_ROLE_ENABLED('ROLE_POWER_USER') THEN     

        IF LOWER(prog) <> 'your_application_name.exe' THEN

            RAISE_APPLICATION_ERROR(-20000, 'Logon denied: You must use only the official client application');

        END IF;

    ELSE

        IF LOWER(prog) NOT IN ('sqlplus.exe', 'toad.exe') THEN

            RAISE_APPLICATION_ERROR(-20000, 'Logon denied: You must use only SQL*Plus or TOAD for you private queries');

        END IF; 

    END IF;

    -- Successful login, continue as normal

END;

/


You can also check other conditions like IP-Address or the machine name.



SELECT privileges on tables and views you have to grant to the user or ROLE in the "classic" way. This trigger only prevents to logon to the database with certain tools.



Note, a user with System Privilege ADMINISTER DATABASE TRIGGER (for example DBA role, or SYS of course) never get the exception, i.e. they can logon to the database in any case and you cannot block this by the trigger.



Another note: This trigger is not 100% secure. For example you can simply make a copy of your local sqlplus.exe and name it your_application_name.exe. Then this trigger would allow to use it.






share|improve this answer


























  • I don't need to make a copy of sqlplus.exe to connect using your_application_name.exe. In a JDBC client this is a simple configuration property (so is machine name or OS user)

    – a_horse_with_no_name
    Feb 27 '15 at 13:21











  • @wernfried This trigger worked pretty nicely. We did some changes to it to include checking the user PROFILE and instead of checking the program we check the MACHINE from where the conncection is coming from. Our Application always connects from the App Server Machine id even when User logs on to the app from their PC and that server machine id will not change (ever). So that solves the program name problem.

    – Annjawn
    Mar 9 '15 at 19:52
















2














You can check it with a database trigger, for example:



CREATE ROLE ROLE_POWER_USER NOT IDENTIFIED;



CREATE OR REPLACE TRIGGER LOG_T_LOGON 

    AFTER LOGON ON DATABASE

DECLARE



    osUser VARCHAR2(30);

    machine VARCHAR2(100); 

    prog VARCHAR2(100)

    ip VARCHAR2(15);



BEGIN



    IF ora_login_user IS NULL THEN 

        RETURN;

    END IF;



    SELECT OSUSER, MACHINE, PROGRAM, ora_client_ip_address

    INTO osUser, machine, prog, ip

    FROM V$SESSION 

    WHERE SID = SYS_CONTEXT('USERENV', 'SID');



    IF NOT DBMS_SESSION.IS_ROLE_ENABLED('ROLE_POWER_USER') THEN     

        IF LOWER(prog) <> 'your_application_name.exe' THEN

            RAISE_APPLICATION_ERROR(-20000, 'Logon denied: You must use only the official client application');

        END IF;

    ELSE

        IF LOWER(prog) NOT IN ('sqlplus.exe', 'toad.exe') THEN

            RAISE_APPLICATION_ERROR(-20000, 'Logon denied: You must use only SQL*Plus or TOAD for you private queries');

        END IF; 

    END IF;

    -- Successful login, continue as normal

END;

/


You can also check other conditions like IP-Address or the machine name.



SELECT privileges on tables and views you have to grant to the user or ROLE in the "classic" way. This trigger only prevents to logon to the database with certain tools.



Note, a user with System Privilege ADMINISTER DATABASE TRIGGER (for example DBA role, or SYS of course) never get the exception, i.e. they can logon to the database in any case and you cannot block this by the trigger.



Another note: This trigger is not 100% secure. For example you can simply make a copy of your local sqlplus.exe and name it your_application_name.exe. Then this trigger would allow to use it.






share|improve this answer


























  • I don't need to make a copy of sqlplus.exe to connect using your_application_name.exe. In a JDBC client this is a simple configuration property (so is machine name or OS user)

    – a_horse_with_no_name
    Feb 27 '15 at 13:21











  • @wernfried This trigger worked pretty nicely. We did some changes to it to include checking the user PROFILE and instead of checking the program we check the MACHINE from where the conncection is coming from. Our Application always connects from the App Server Machine id even when User logs on to the app from their PC and that server machine id will not change (ever). So that solves the program name problem.

    – Annjawn
    Mar 9 '15 at 19:52














2












2








2







You can check it with a database trigger, for example:



CREATE ROLE ROLE_POWER_USER NOT IDENTIFIED;



CREATE OR REPLACE TRIGGER LOG_T_LOGON 

    AFTER LOGON ON DATABASE

DECLARE



    osUser VARCHAR2(30);

    machine VARCHAR2(100); 

    prog VARCHAR2(100)

    ip VARCHAR2(15);



BEGIN



    IF ora_login_user IS NULL THEN 

        RETURN;

    END IF;



    SELECT OSUSER, MACHINE, PROGRAM, ora_client_ip_address

    INTO osUser, machine, prog, ip

    FROM V$SESSION 

    WHERE SID = SYS_CONTEXT('USERENV', 'SID');



    IF NOT DBMS_SESSION.IS_ROLE_ENABLED('ROLE_POWER_USER') THEN     

        IF LOWER(prog) <> 'your_application_name.exe' THEN

            RAISE_APPLICATION_ERROR(-20000, 'Logon denied: You must use only the official client application');

        END IF;

    ELSE

        IF LOWER(prog) NOT IN ('sqlplus.exe', 'toad.exe') THEN

            RAISE_APPLICATION_ERROR(-20000, 'Logon denied: You must use only SQL*Plus or TOAD for you private queries');

        END IF; 

    END IF;

    -- Successful login, continue as normal

END;

/


You can also check other conditions like IP-Address or the machine name.



SELECT privileges on tables and views you have to grant to the user or ROLE in the "classic" way. This trigger only prevents to logon to the database with certain tools.



Note, a user with System Privilege ADMINISTER DATABASE TRIGGER (for example DBA role, or SYS of course) never get the exception, i.e. they can logon to the database in any case and you cannot block this by the trigger.



Another note: This trigger is not 100% secure. For example you can simply make a copy of your local sqlplus.exe and name it your_application_name.exe. Then this trigger would allow to use it.






share|improve this answer















You can check it with a database trigger, for example:



CREATE ROLE ROLE_POWER_USER NOT IDENTIFIED;



CREATE OR REPLACE TRIGGER LOG_T_LOGON 

    AFTER LOGON ON DATABASE

DECLARE



    osUser VARCHAR2(30);

    machine VARCHAR2(100); 

    prog VARCHAR2(100)

    ip VARCHAR2(15);



BEGIN



    IF ora_login_user IS NULL THEN 

        RETURN;

    END IF;



    SELECT OSUSER, MACHINE, PROGRAM, ora_client_ip_address

    INTO osUser, machine, prog, ip

    FROM V$SESSION 

    WHERE SID = SYS_CONTEXT('USERENV', 'SID');



    IF NOT DBMS_SESSION.IS_ROLE_ENABLED('ROLE_POWER_USER') THEN     

        IF LOWER(prog) <> 'your_application_name.exe' THEN

            RAISE_APPLICATION_ERROR(-20000, 'Logon denied: You must use only the official client application');

        END IF;

    ELSE

        IF LOWER(prog) NOT IN ('sqlplus.exe', 'toad.exe') THEN

            RAISE_APPLICATION_ERROR(-20000, 'Logon denied: You must use only SQL*Plus or TOAD for you private queries');

        END IF; 

    END IF;

    -- Successful login, continue as normal

END;

/


You can also check other conditions like IP-Address or the machine name.



SELECT privileges on tables and views you have to grant to the user or ROLE in the "classic" way. This trigger only prevents to logon to the database with certain tools.



Note, a user with System Privilege ADMINISTER DATABASE TRIGGER (for example DBA role, or SYS of course) never get the exception, i.e. they can logon to the database in any case and you cannot block this by the trigger.



Another note: This trigger is not 100% secure. For example you can simply make a copy of your local sqlplus.exe and name it your_application_name.exe. Then this trigger would allow to use it.







share|improve this answer














share|improve this answer



share|improve this answer








edited Feb 27 '15 at 12:08

























answered Feb 27 '15 at 9:09









Wernfried DomscheitWernfried Domscheit

1,203611




1,203611













  • I don't need to make a copy of sqlplus.exe to connect using your_application_name.exe. In a JDBC client this is a simple configuration property (so is machine name or OS user)

    – a_horse_with_no_name
    Feb 27 '15 at 13:21











  • @wernfried This trigger worked pretty nicely. We did some changes to it to include checking the user PROFILE and instead of checking the program we check the MACHINE from where the conncection is coming from. Our Application always connects from the App Server Machine id even when User logs on to the app from their PC and that server machine id will not change (ever). So that solves the program name problem.

    – Annjawn
    Mar 9 '15 at 19:52



















  • I don't need to make a copy of sqlplus.exe to connect using your_application_name.exe. In a JDBC client this is a simple configuration property (so is machine name or OS user)

    – a_horse_with_no_name
    Feb 27 '15 at 13:21











  • @wernfried This trigger worked pretty nicely. We did some changes to it to include checking the user PROFILE and instead of checking the program we check the MACHINE from where the conncection is coming from. Our Application always connects from the App Server Machine id even when User logs on to the app from their PC and that server machine id will not change (ever). So that solves the program name problem.

    – Annjawn
    Mar 9 '15 at 19:52

















I don't need to make a copy of sqlplus.exe to connect using your_application_name.exe. In a JDBC client this is a simple configuration property (so is machine name or OS user)

– a_horse_with_no_name
Feb 27 '15 at 13:21





I don't need to make a copy of sqlplus.exe to connect using your_application_name.exe. In a JDBC client this is a simple configuration property (so is machine name or OS user)

– a_horse_with_no_name
Feb 27 '15 at 13:21













@wernfried This trigger worked pretty nicely. We did some changes to it to include checking the user PROFILE and instead of checking the program we check the MACHINE from where the conncection is coming from. Our Application always connects from the App Server Machine id even when User logs on to the app from their PC and that server machine id will not change (ever). So that solves the program name problem.

– Annjawn
Mar 9 '15 at 19:52





@wernfried This trigger worked pretty nicely. We did some changes to it to include checking the user PROFILE and instead of checking the program we check the MACHINE from where the conncection is coming from. Our Application always connects from the App Server Machine id even when User logs on to the app from their PC and that server machine id will not change (ever). So that solves the program name problem.

– Annjawn
Mar 9 '15 at 19:52


















draft saved

draft discarded




















































Thanks for contributing an answer to Database Administrators Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f93949%2frestrict-oracle-db-login-based-on-sql-client-being-used%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Szabolcs (Ungheria) Altri progetti | Menu di navigazione48°10′14.56″N 21°29′33.14″E /...

Image
Comuni della provincia di Szabolcs-Szatmár-Bereg Ungheria2001provincia di Szabolcs-Szatmár-Bereg Szabolcs comune Localizzazione Stato   Ungheria Regione Grande Pianura Settentrionale Provincia Szabolcs-Szatmár-Bereg Territorio Coordinate 48°10′14.56″N 21°29′33.14″E  /  48.17071°N 21.49254°E 48.17071; 21.49254  ( Szabolcs ) Coordinate: 48°10′14.56″N 21°29′33.14″E  /  48.17071°N 21.49254°E 48.17071; 21.49254  ( Szabolcs ) Superficie 5,88 km² Abitanti 425 (2001) Densità 72,28 ab./km² Altre informazioni Cod. postale 4467 Prefisso 42 Fuso orario UTC+1 Codice KSH 19169 Cartografia Szabolcs Sito istituzionale Modifica dati su Wikidata  · Manuale Szabolcs è un comune dell'Ungheria di 425 abitanti (dati 2001). È situato nella provincia di Szabolcs-Szatmár-Bereg. Altri progetti | Altri progetti Wikimedia Commons Wikimedia Commons contiene immagini o altri file su Szabolcs .mw-parser-output
Read more

Discografia di Klaus Schulze Indice Album in studio | Album dal vivo | Singoli | Antologie | Colonne...

Image
Discografie di artisti tedeschi Voce principale: Klaus Schulze . Discografia di Klaus Schulze Klaus Schulze e Lisa Gerrard durante un concerto Album in studio 56 ↙ Album dal vivo 15 ↙ Raccolte 37 ↙ Singoli 4 ↙ Album video 1 ↙ Colonne sonore 4 ↙ Indice 1 Album in studio 1.1 Solisti 1.1.1 Come Richard Wahnfried 1.2 Collaborazioni 1.2.1 Con Rainer Bloss 1.2.2 Con Rainer Bloss ed Ernst Fuchs 1.2.3 Con Lisa Gerrard 1.2.4 Con Andreas Grosser 1.2.5 Con Pete Namlook 1.2.6 Con Pete Namlook e Bill Laswell 1.2.7 Con Michael Shrieve 1.2.8 Con Solar Moon 1.2.9 Con artisti vari 2 Album dal vivo 3 Singoli 4 Antologie 5 Colonne sonore 6 Videografia 7 Collegamenti musica Album in studio | Solisti | 1972 – Irrlicht 1973 – Cyborg 1974 – Blackdance 1975 – Timewind 1975 – Picture Music 1976 – Moondawn 1977 – Mirage 1978 – "X" 1979 – Dune
Read more

How to make inet_server_addr() return localhost in spite of ::1/128RETURN NEXT in Postgres FunctionConnect to...

Image
Potential client has a problematic employee I can't work with Can the "Friends" spell be used without making the target hostile? Does it take energy to move something in a circle? Why are carbons of Inositol chiral centers? Count repetitions of an array Which RAF squadrons and aircraft types took part in the bombing of Berlin on the 25th of August 1940? Memory usage: #define vs. static const for uint8_t Broad Strokes - missing letter riddle Why does 0.-5 evaluate to -5? Why is 'diphthong' pronounced the way it is? Why did Luke use his left hand to shoot?
Read more